oss-sec mailing list archives

Re: CVE-request: OpenKM 5.1.7 Privilege Escalation / OS Command Execution (XSRF based)

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 04 May 2012 10:12:56 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/04/2012 01:32 AM, Henri Salo wrote:

On Fri, Mar 23, 2012 at 09:09:30AM -0600, Kurt Seifried wrote:

On 03/23/2012 04:00 AM, Henri Salo wrote:

Can I get CVE-identifiers for these two security
vulnerabilities?

http://osvdb.org/show/osvdb/78105 COMPASS-2012-001 
http://osvdb.org/show/osvdb/78106 COMPASS-2012-002

- Henri Salo


I'm going to need some original vendor information (name, site,
etc.).

-- Kurt Seifried Red Hat Security Response Team (SRT)


Hello Kurt and list,

I received following information from Paco Avila from OpenKM. I
hope this clarifies things.


Perfect, thanks!

"OpenKM Permission Weakness Admin Privilege Escalation" 
COMPASS-2012-001 / OSVDB:78105 / SA47424: Diff: AuthServlet.diff 
Issue tracker: http://issues.openkm.com/view.php?id=1973


Please use CVE-2012-2315 for this issue.

"OpenKM Arbitrary Admin User Creation CSRF" COMPASS-2012-002 /
OSVDB:78106 / SA47420: Diff: scripting.diff Issue tracker:
http://issues.openkm.com/view.php?id=1750


Please use CVE-2012-2316 for this issue.

- Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPpAAIAAoJEBYNRVNeJnmTq6MQAKdbrnpD6WqmbRf1gIaD80LF
oJdMFT58ofFlCzslMDbWGv4lmOM+pSDLVrFgV20jFn9h6XqiAD9Kou77PM3XzgsK
tqVzCePwkvLr5grFBTu72UDoiSyJzITtQgLQkijnwovU4TCvUTSMqio3Z2WaCqqR
mTfc9rC67XE76CgxwXxg4TCRw7Dk/Cnh+rpCYAtCPVSxkFwlsf639TMx5zAq/wkF
K7HPDCC5qYcJN6EpmeHCbINTVwtN8LxYuxdabUTAST2FU7WzxV1cxXikexs8SvFl
0B9YL6zEeaQ0AVpnAhEhGOnyEVH6S50FZPIPWJ5+fpC1mBrpD592TDPzf/7B4pVU
0wvq7KNEActSqYhQpxlYmkmHQcKqgtIIPVi/cpkDOE36xyAF/ZAt+fKfYt87tZGw
wqgCxl6h958+/T51JMG2c1pC2+PqwAdIzamFaMk6+vsHBAJSp/QXZ/xP6MgxrOk3
Uonm3eM1s10thvMxLFNjcYT9Gh39a4R/F7uc1sZkJ/ipLIQo5Z6e1ffI3KBotXYn
F78uDUEgrwjQQQByX1d4KRDsb8+xtG34rov9G0lAyOYN+9dXys8tlnRmffBGXPrm
iwDPBsO+/U7zzY5xI7oC+rZk7M17kgMh+l6AXDeFWCpqpKCOESY3Hn9yDmLNRYKG
AA1P7EVOfVxXXxU48/hb
=QQra
-----END PGP SIGNATURE-----

Current thread:

Re: CVE-request: OpenKM 5.1.7 Privilege Escalation / OS Command Execution (XSRF based) Henri Salo (Apr 27)
- <Possible follow-ups>
- Re: CVE-request: OpenKM 5.1.7 Privilege Escalation / OS Command Execution (XSRF based) Henri Salo (May 04)
  - Re: CVE-request: OpenKM 5.1.7 Privilege Escalation / OS Command Execution (XSRF based) Kurt Seifried (May 04)